feat: checkov scans for helm charts (#5631)

This commit is contained in:
Andrew Kreuzer 2024-06-07 11:06:55 -04:00 committed by GitHub
parent 88ea3923a7
commit 5b5d2f7ef0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 177 additions and 1 deletions

View file

@ -12,6 +12,7 @@ FROM alpine/terragrunt:1.8.4 as terragrunt
FROM dotenvlinter/dotenv-linter:3.3.0 as dotenv-linter
FROM ghcr.io/terraform-linters/tflint:v0.51.1 as tflint
FROM ghcr.io/yannh/kubeconform:v0.6.6 as kubeconfrm
FROM alpine/helm:3.14.4 as helm
FROM golang:1.22.3-alpine as golang
FROM golangci/golangci-lint:v1.59.0 as golangci-lint
FROM goreleaser/goreleaser:v1.26.2 as goreleaser
@ -259,6 +260,11 @@ COPY dependencies/google-java-format /google-java-format
RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \
&& rm -rfv /install-google-java-format.sh /google-java-format
################
# Install Helm #
################
COPY --from=helm /usr/bin/helm /usr/bin/
# Copy Node tools
COPY --from=npm-builder /node_modules /node_modules

View file

@ -160,6 +160,7 @@ control "super-linter-installed-commands" do
{ linter_name: "goreleaser"},
{ linter_name: "google-java-format", version_command: "java -jar /usr/bin/google-java-format --version"},
{ linter_name: "hadolint"},
{ linter_name: "helm", version_option: "version"}, # not used as linter, needed for checkov's helm framework
{ linter_name: "htmlhint"},
{ linter_name: "isort"},
{ linter_name: "jscpd"},
@ -510,7 +511,8 @@ control "super-linter-validate-files" do
"/action/lib/.automation/.yaml-lint.yml",
"/action/lib/.automation/phpcs.xml",
"/action/lib/.automation/phpstan.neon",
"/action/lib/.automation/psalm.xml"
"/action/lib/.automation/psalm.xml",
"/usr/bin/helm", # needed for checkov's helm framework
]
files.each do |item|

View file

@ -0,0 +1,24 @@
apiVersion: v2
name: bad_chart
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

View file

@ -0,0 +1,31 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http

View file

@ -0,0 +1,14 @@
replicaCount: 1
image:
repository: nginx
pullPolicy: IfNotPresent
tag: ""
serviceAccount:
create: true
automount: true
name: "test"
service:
port: 80

View file

@ -0,0 +1,24 @@
apiVersion: v2
name: good_chart
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

View file

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@{{ .Values.image.digest }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}

View file

@ -0,0 +1,36 @@
replicaCount: 1
image:
repository: nginx
pullPolicy: IfNotPresent
tag: ""
digest: "bXlzdXBlcnNlY3JldGhpZGRlbnN0cmluZwo"
serviceAccount:
create: true
automount: false
name: "test"
podSecurityContext:
seccompProfile:
type: RuntimeDefault
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
service:
port: 80
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi